3/03/2010 @ 6:00PM

The Real Meaning Of Cyberwarfare

Connect the dots between reports of Chinese cyberspying, crippling network attacks in South Korea and Estonia and the U.S. military’s ramping up of cyber capabilities, and it would seem that a third World War is underway on the Internet.

Not so fast, says Jeffrey Carr, author of Inside Cyberwarfare, a plainspoken guide to cyber threats that was published by O’Reilly Media earlier this year. Carr, the chief executive of cybersecurity consultancy Grey Logic, takes a more measured approach to the new age of digital defense, starting with the definition of so-called “cyberwar.” In Carr’s view a war hasn’t begun until metal is flying through the air. That means the real threat to U.S. networks comes not from sleeper software planted by state-sponsored cyberspies, but from a combined attack of atoms and bits, or from cyber-enabled radical groups or criminals engaged in what’s more properly called “cyberterrorism.”

Carr argues that we need to distinguish between cyberwar and cyberterror, as well as cyber-espionage and cybercrime–even while we unify our defense against each of those looming problems. Forbes spoke with him about why those words matter, why China is far from our most dangerous potential cyber adversary, and the danger of the American military engaging in pre-emptive cyber attacks.

Forbes: In February former National Security Administration Director Mike McConnell published an editorial in the Washington Post that began, “The United States is fighting a cyber-war today, and we are losing.” Are we in the middle of a cyberwar? Or a cyber-Cold War?

Carr: I don’t view it that way. There are distinctions to be made. If you’re referring to the buildup of network attacks and defense weaponry, every country’s military is engaging in that to some extent. It’s a natural process of preparation for traditional war by armed forces around the world.

So you’re saying that the military doesn’t really treat cyberwar as different from traditional war?

No, and they shouldn’t. If you look at the examples of cyberwar so far, in most every case, it’s in conjunction with a military attack. Russia’s invasion of Georgia, for instance, was a clear example of armed engagement that included attacks on government Web sites and penetration into government networks.

Also in the case of Israel’s “Cast Lead” operation in the Palestinian territories, you had kinetic fighting between the Israelis and Hamas, but at the same time attacks on networks by non-state actors and–by some indication–employees of the Israeli Defense Forces.

So essentially you’re saying there’s no such thing as a “cyberwar,” but there is “cyberwarfare.”

Right. It’s a tool in a general’s toolkit. A cyber attack might be an opening salvo that would be followed by some type of military attack.

There is no legal status for cyber war. War is a kinetic attack, an armed attack. That’s the only definition in any treaty. What we call “cyberwar” is an area that’s extremely malleable right now.

But haven’t we seen examples of pure cyberwar? What about the attacks last summer that were attributed to North Korea, or the attacks on Estonia in 2007?

Those certainly don’t qualify. There was no clear state actor, and there was no shred of evidence that it was North Korea. North Korea doesn’t have a lot of money, but one place they invest is in their cyber capabilities, and they wouldn’t have written malware that sloppily. Those attacks had no real effect. They were just noise.

And Estonia?

In the case of Estonia, I do consider that a serious attack, but I wouldn’t call it a war. That’s a word that should be used more carefully. If everything is considered a war, then you lose the ability to respond appropriately.

Last summer one senator advocated a physical attack against North Korea following those denial-of-service attacks. That was wrong. It’s the kind of overreaction you can expect when you throw around words like “war” instead of trying to be more precise.

I suppose the result of your definition of cyberwarfare would be that our cyberwar adversaries would be the same as our real-world military adversaries.

Yes, states that would normally attack us are the same as the ones that might attack our networks.

But there is a difference between traditional warfare and cyberwarfare? You’ve written that one of the dangers of cyber-attacks is that there’s no deterrence based on a fear of retaliation.

Without attribution there’s no deterrence–that’s true. But there is a different kind of deterrence. China needs the U.S. They don’t want to cripple our economy or destroy our banking institutions, because that would destroy their economy as well.

We don’t have to worry about China turning off the lights. They may be inside the grid. They may be able to flip that switch, but they would only do it out of self defense. There are those sorts of mitigating factors that you’d have to look at in terms of deterrence.

You have to ask what China wants. It wants our intellectual property, not to destroy cities.

If you don’t believe China would launch cyber attacks on the U.S., what do you see as the larger threats?

Theoretically, you could discuss a virtual war between nation states, but non-state actors like radical groups and criminals are much more likely to be a threat. Overall I advocate breaking down the silos between our approach to cybercrime aimed at financial institutions, cyber-espionage, cyberwarfare and cyberterrorism. All of these should be looked at in building an overall cyber response strategy.

Former antiterrorism czar Richard Clarke makes the argument in his forthcoming book Cyberwar that North Korea is better prepared for cyberwarfare than China or the U.S. because it could cut itself off more easily from the Internet.

I’d definitely agree that North Korea is a bigger threat. China is also much more rational. You can deal with them. North Korea is like a crazy person. You can’t deal with a lunatic with a bomb in his hands.

Similarly, it’s much harder to deal with terrorist groups and criminal organizations. They have the money, and they have the motives, and they worry me much more than China.

Some cybersecurity analysts think the U.S. could use a cyber attack preemptively to prevent a war–for instance shutting down the nuclear capabilities of India and Pakistan if they threatened to bomb each other. You’ve written that you disagree. Why?

I think that would backfire. It’s disastrous idea. You don’t know that you’d be successful. It’s not like throwing cold water on a couple of fighting dogs. It’s incredibly risky.

How long do you keep their networks shut down? Eventually they will get their capacity back. You’re inviting more cyber attacks, opening a huge can of worms that can’t be closed.

What should the U.S. be doing to prevent a cyber attack on our critical infrastructure?

Going after the safe havens, just as we do in Iraq and Afghanistan. You move into an area, you help them build up their infrastructure, you help the citizens, you make friends, solve their problems, get intelligence. You use that to identify your opponents and shut them down.

Why haven’t we experienced a cyber 9/11?

Why hasn’t there been a loss of life attributed to a cyber attack? Two reasons: it’s not in a state actor’s interest, and they’re the ones who are tolerating or supporting these attacks so far. Radical groups, which do have the motivation, don’t have a clue about cyberspace yet.

Cyber is not part of reality for al Qaeda. But if you think about the young radicals who have grown up on the Internet, were recruited with it and were trained with it, they’ll look to the Internet as an attack method.